User:Hipaat/Consent Management

Definition
Consent Management is a process that:


 * 1) enables consumers to establish privacy directives to determine who shall have access to their electronic personal/protected health information (PHI), for what purpose and under what circumstances, within the policy framework of an organization and/or jurisdiction


 * 1) enables creation of organizational and jurisdictional privacy policies


 * 1) enforces privacy policy through access control mechanisms.

Examples of consent directives/policies
Consumer consent directives:

Do not allow Dr. Jon Smith to access my PHI.

Organizational privacy policy:

No healthcare employee is to access another employee's PHI, unless expressly authorized.

Jurisdictional privacy policy:

Only specifically-authorized individuals shall have access to mental health records.

An organization’s (e.g. hospital’s) privacy policy can vary from general (all PHI may be accessed for the patient’s benefit), to specific (PHI “X”, can only be accessed by physicians “A”, “B” or “C” if situation “Y” arises). The various elements included in a privacy policy may be numerous. These elements may include, but are not limited to the:


 * user/caregiver accessing the information (name, role, group, location, etc.)


 * patient (name, classification, location, etc.)


 * information being accessed (sensitivity, scope, reason, etc.)

Industry References
The need to accommodate and automate consumer privacy preferences in health information exchange is recognized by the healthcare industry through various standards activities and consent discussions:


 * American Medical Informatics Association (AMIA), e-Consent: * The Design and Implementation of Consumer Consent Mechanisms in an Electronic Environment by Enrico Coiera, MBBS, PhD and Roger Clarke, MComm, PhD


 * Canada Health Infoway, iEHR Tech II Project, Standards Collaborative Partnership


 * Health Information Security and Privacy Collaboration (HISPC)


 * Health Information Technology Standards Panel (HITSP), “TP 30 - HITSP Manage Consent Directives Transaction Package.”


 * Health Level 7, “Community-based Collaborative Care Project.”


 * Integrating the Healthcare Enterprise (IHE), “Basic Patient Privacy Consents (BPPC).”


 * Organization for the Advancement of Structured Information Standards (OASIS), “Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0.”